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United  States  General  Accounting  Office 
Washington,  DC  20548 


October  20,  2000 


The  Honorable  Fred  Thompson 

Chairman,  Committee  on  Governmental  Affairs 

United  States  Senate 


Subject:  Internet  Privacy:  Federal  Agency  Use  of  Cookies 


Dear  Mr.  Chairman: 


As  requested  by  your  office,  we  have  been  reviewing  selected  federal  agencies’  use  of 
cookies  on  their  web  sites.  A  cookie  is  a  short  string  of  text — not  a  program — that  is  sent 
from  a  web  server  to  a  web  browser  when  the  browser  accesses  a  web  page.  The  use  of 
cookies  allows  the  server  to  recognize  returning  users,  track  on-line  purchases,  or  maintain 
and  serve  customized  web  pages.  Domain  cookies  are  cookies  placed  by  the  visited  web  site. 
However,  some  web  sites  also  allow  the  placement  of  third-party  cookies — cookies  placed  on 
a  visitor’s  computer  by  a  domain  other  than  the  site  being  visited.  The  domain  and  third- 
party  cookies  may  be  further  grouped  into  session  cookies  and  persistent  cookies.  Session 
cookies  are  short-lived,  are  used  only  during  the  browsing  session,  and  expire  when  the  user 
quits  the  browser.  Persistent  cookies  specify  expiration  dates,  remain  stored  on  the  client’s 
computer  until  the  expiration  date,  and  can  be  used  to  track  users’  browsing  behavior  by 
identifying  their  Internet  addresses  whenever  they  return  to  a  site. 

The  purpose  of  this  letter  is  to  respond  to  your  request  for  interim  information  on  federal 
agency  use  of  cookies  as  of  September  and  October  2000.  Specifically,  you  asked  us  to 
identify  agency  web  sites  that  used  cookies  but  did  not  disclose  this  use  in  their  privacy 
policies  and  to  identify  the  type  of  cookie  used.  In  addition,  you  asked  us  to  identify  agency 
web  sites  that  use  persistent  cookies.  Enclosure  I  provides  this  information. 

We  reviewed  65  web  sites.  This  total  consisted  of  (1)  the  web  sites  operated  by  the  32  high- 
impact  agencies,  which  handle  the  majority  of  the  government’s  contact  with  the  public; 

(2)  32  web  sites  randomly  selected  from  the  General  Services  Administration’s  government 
domain  registry  data  base;  and  (3)  the  Federal  Trade  Commission’s  web  site.  See  enclosure 
II  for  a  list  of  the  sites  we  reviewed.  We  reviewed  certain  web  sites  twice.  During  our 
August  through  September  2000  review,  we  visited  all  65  web  sites  to  determine  (1)  which  of 
the  selected  federal  sites  were  using  cookies,  (2)  the  type  of  cookies  used,  and  (3)  whether 
the  privacy  policy  disclosed  that  the  site  may  or  does  use  cookies.  We  again  reviewed  sites 
that  used  cookies  on  October  17,  2000.  We  conducted  our  review  from  August  through 
October  2000  in  accordance  with  generally  accepted  government  auditing  standards. 
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On  October  18, 2000,  we  requested  comments  on  a  draft  of  this  letter  from  the  Office  of 
Management  and  Budget.  In  a  letter  dated  October  19,  2000,  OMB’s  Deputy  Director  for 
Management  said  that  OMB  appreciates  the  helpful  information  provided  and  plans  to 
contact  these  agencies  to  reinforce  administration  policy.  She  also  noted  that  OMB  has 
required  agencies  to  report  directly  to  OMB  in  this  year’s  budget  requests  about  the  steps 
they  have  taken  to  comply  with  administration  policy  concerning  privacy,  cookies,  and 
federal  web  sites.  OMB’s  letter  is  reprinted  in  enclosure  III. 

As  agreed  with  your  office,  unless  you  publicly  announce  the  contents  of  this  letter  earlier, 
we  will  not  distribute  it  until  30  days  from  its  date.  At  that  time,  we  will  send  copies  of  this 
letter  to  the  Honorable  Joseph  I.  Lieberman,  Ranking  Minority  Member,  Senate  Committee 
on  Governmental  Affairs;  and  the  Honorable  Dan  Burton,  Chairman,  and  the  Honorable 
Henry  A.  Waxman,  Ranking  Minority  Member,  House  Committee  on  Government  Reform. 
We  are  also  providing  a  copy  of  this  letter  to  the  Honorable  Jacob  J.  Lew,  Director,  Office  of 
Management  and  Budget.  We  will  also  provide  copies  to  interested  parties  upon  request. 

Please  contact  me  at  (202)  512-6240  if  you  or  your  staff  have  any  questions.  I  can  also  be 
reached  by  e-mail  at  koontzl@gao.gov.  Key  contributors  to  this  report  were  Scott  A.  Binder, 
Mirko  J.  Dolak,  and  M.  Yvonne  Sanchez. 

Sincerely  yours, 

Linda  D.  Koontz 

Director,  Information  Management  Issues 


Enclosures 
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COOKIES  ON  SELECTED  FEDERAL  WEB  SITES 
Table  1:  Federal  Web  Sites  Giving  Domain  Cookies  Without  Disclosure 


Office  of  Personnel 
Management 


Web  Address 

http  :/A  \  ’mv.  ovm.  gov/demos/index.  h  tm 


http://wrww.  opm.gov 


Persistent  Found  in  Found  in 

Cookie  Sept.  Oct. 

2000  2000 


U.S.  Trade  and  Development  I  http://www. Ida. eov/fo rms /guestbook, cfm 
Agency  _ 


Bureau  of  Land  Management 


Federal  Aviation 
Administration 


Ames  Laboratory 


Bureau  of  Labor  Statistics 


Health  Care  Financing 

Administration _ 

National  Park  Service 


http://www.  ameslab.  gov/overview/glance 
. html 


http://www.  bis,  sov/ search/ search,  as 
http://wm\\ bls.gov 


http://www.hcfa.  gov/search/ 
h  ttp: //reservations,  nps.  gov/ 


s 

U.S.  Forest  Service 


http: //www.  fs.  fed,  m/gtobau 
htto://www.  fs.  fed,  us/rein  vent  ion / 
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Table  3:  Federal  Web  Sites  Giving  Persistent  Domain  Cookies  With  Disclosure 


Web  Site 

Web  Address 

Session 

Cookie 

Persistent 

Cookie 

Found  in 
Sept. 
2000 

Found 
in  Oct. 
2000 

U.S.  Postal  Service 

httv://new.  usds,  com/cm- 
bin/usDsbv/scriDts/fronl.isD 

✓ 

♦ 

♦ 

General  Service 

Administration 

h  ttv  ://vub.  fss.  zsa.  zov/fmf current 

✓ 

♦ 

♦ 

Small  Business  Administration 

h  ttD’J/avv  l.sba.  zo  v/buscard/ 

A 

♦ 

Institute  of  Museum  and 

Library  Services 

http:  //www.  imls.  zov futility/ contact.  htm 
when  clicking  on  "About  IMLS" 

/ 

♦ 
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LIST  OF  FEDERAL  WEB  SITES  REVIEWED 


Agency/Department 

Web  Site  Address 

Group 

Department  of  Agriculture 

Animal  and  Plant  Health  Inspection  Service 

www.aphis.usda.gov 

High-Impact  Agency 

Food  Safety  and  Inspection  Service 

www.fsis.usda.gov 

High-Impact  Agency 

Food,  Nutrition,  and  Consumer  Service 

www.fhs.usda.gov 

High-Impact  Agency 

National  Agricultural  Library 

www.nalusda.gov 

Random  Sample 

National  Genetic  Resources  Program 

www.ars-grin.gov 

Random  Sample 

USDA  Forest  Service 

www.fs.fed.us 

High-Impact  Agency 

department  of  Commerce 

FedWorld 

www.fedworld.gov 

Random  Sample 

National  Weather  Service 

wwAv.nws.noaa.gov 

High-Impact  Agency 

The  Official  U.S.  Time 

wwwLtime.gov 

Random  Sample 

U.S.  Census  Bureau 

www.census.gov 

High-Impact  Agency 

U.S.  Commercial  Service 

wwwLUsatrade.gov 

High-Impact  Agency 

U.S.  Patent  and  Trademark  Office 
department  of  Defense 

ACQWeb 

Department  of  Education 

Office  of  Student  Financial  Assistance  Programs 

www.uspto.gov 

wwwLacq.osd.mil 

wwwLed.gov/offices/OSFAP 

High-Impact  Agency 

High-Impact  Agency 

High-Impact  Agency 

Department  of  Energy  v; :  |  ?  •• ;  f  ^ 

Albuquerque  Operations  Office 

www.doeal.gov 

Random  Sample 

Ames  Laboratory 

WAVw.ameslab.gov 

Random  Sample 

Femald  Environmental  Management  Project 

wwwLfemald.gov 

Random  Sample 

Southeastern  Power  Administration 

www.sepa.fed.us 

Random  Sample 

Department  of  Health  and  Human  Services 
Administration  for  Children  and  Families 

wAvw.acf.dhhs.gov 

High-Impact  Agency 

Health  Care  Financing  Administration 

wwAv.hcfa.gov 

High-Impact  Agency 

IGnet 

www.ignet.gov 

Random  Sample 

National  Institute  of  Allergy  and  Infectious  Diseases 

www.hsroad.gov 

Random  Sample 

National  Institute  on  Drug  Abuse 

www.dmgabuse.gov 

Random  Sample 

U.S.  Food  and  Drug  Administration 

www.fda.gov 

High-Impact  Agency 

Department  of  Housing  and  Urban  Development 

Code  Talk1 

Department  of  the  InfeSyr 

Bureau  of  Land  Management 

wAVAv.codetalk.gov 

www.blm.gov 

Random  Sample 

'yJjlk'E:  ^  i 

High-Impact  Agency 

National  Park  Service 

www.nps.gov 

High-Impact  Agency 

Department  of  Justice 

Federal  Bureau  of  Investigation 

www.fbi.gov 

Random  Sample 

Immigration  &  Naturalization  Service 

Department  of  Labor 

Bureau  of  Labor  Statistics 

www.ins.usdoj  .gov 

www.bls.gov 

High-Impact  Agency 

Random  Sample 

Occupational  Safety  &  Health  Administration 

www.osha.gov 

High-Impact  Agency 

'Code  Talk  is  an  interagency  site  that  is  hosted  but  not  owned  by  HUD. 
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Department  of  State 

Bureau  of  Consular  Affairs 

www.travel.state.gov 

High-Impact  Agency 

International  Information  Programs 

www. usia.gov 

Random  Sample 

[Department  of Transportation 

Central  Federal  Lands  Highway  Division 

www.cflhd.gov 

Random  Sample 

Federal  Aviation  Administration 

Department  of  the  Treasury 

Customs  Service 

www.faa.gov 

www.customs.gov 

High-Impact  Agency 

High-Impact  Agency 

Financial  Management  Service 

www.fms.treas.gov 

High-Impact  Agency 

Internal  Revenue  Service 

www.irs.ustreas.gov 

High-Impact  Agency 

^Department  of  Veterans  Affairs 

Veterans  Benefits  Administration 

www.vba.va.gov 

High-Impact  Agency 

Veterans  Health  Administration 

www.va.gov/About_VA/  Orgs/ 
VHA/index.htm 

High-Impact  Agency 

[Independent  Agencies 

African  Development  Foundation 

www.adf.gov 

Random  Sample 

Environmental  Protection  Agency 

www.epa.gov 

High-Impact  Agency 

Farm  Credit  Administration 

www.fca.gov 

Random  Sample 

Farm  Credit  System  Insurance  Corporation 

www.fcsic.gov 

Random  Sample 

Federal  Communications  Commission 

www.fcc.gov 

Random  Sample 

Federal  Emergency  Management  Agency 

www.fema.gov 

High-Impact  Agency 

Federal  Retirement  Thrift  Investment  Board 

www.frtib.gov 

Random  Sample 

Federal  Trade  Commission 

www.ftc.gov 

Special  Selection 

FinanceNet 

www.fmancenet.gov 

Random  Sample 

General  Services  Administration 

www.gsa.gov 

High-Impact  Agency 

Institute  of  Museum  and  Library  Services 

www.imls.fed.us 

Random  Sample 

National  Aeronautics  and  Space  Administration 

www.nasa.gov 

High-Impact  Agency 

National  Credit  Union  Administration 

www.ncua.gov 

Random  Sample 

National  Science  Foundation  CISE 

www.cise.nsf.gov 

Random  Sample 

Occupational  Safety  and  Health  Review  Commission 

www.oshrc.gov 

Random  Sample 

Office  of  the  Federal  Environmental  Executive 

www.ofee.gov 

Random  Sample 

Office  of  Personnel  Management 

www.opm.gov 

High-Impact  Agency 

Small  Business  Administration 

www.sba.gov 

High-Impact  Agency 

Social  Security  Administration 

www.ssa.gov 

High-Impact  Agency 

The  Access  Board 

www.access-board.gov 

Random  Sample 

The  White  House  Fellows  Program 

www.whitehousefellows.gov 

Random  Sample 

Thrift  Savings  Plan 

www.tsp.gov 

Random  Sample 

U.S.  Nuclear  Regulatory  Commission 

www.nrc.gov 

Random  Sample 

U.S.  Postal  Service 

newMisps.com 

High-Impact  Agency 

U.S.  Trade  and  Development  Agency 

www.tda.gov 

Random  Sample 
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COMMENTS  FROM  THE  OFFICE  OF  MANAGEMENT  AND  BUDGET 


EXECUTIVE  OFFICE  OF  THE  PRESIDENT 
OFFICE  OF  MANAGEMENT  AND  BUDGET 
WASHINGTON,  D.C.  20503 


DEPUTY  DIRECTOR 
FOR  MANAGEMENT 


October  19, 2000 


Ms.  Linda  Koontz 

Associate  Director,  Government-Wide 
and  Defense  Information  Systems 
General  Accounting  Office 
Washington,  DC  20548 

Dear  Ms.  Koontz: 

Thank  you  for  providing  your  draft  report  entitled  Internet  Privacy:  Federal  Use  of 
Cookies  (GAO-01 -147R),  which  I  received  this  morning.  I  am  pleased  to  present  comments 
from  the  Office  of  Management  and  Budget  on  this  report. 

As  you  know,  OMB  issued  guidance  on  June  22, 2000  (Memorandum  M-00-1 3) 
concerning  privacy  policies  and  data  collection  on  Federal  web  sites.  There  are  particular 
privacy  concerns  when  web  technology  can  track  the  activities  of  users  over  time  and  across 
different  web  sites.  In  light  of  the  unique  laws  and  traditions  about  government  access  to  the 
personal  information  of  citizens,  the  Director  stated  that  the  presumption  should  be  that  cookies 
will  not  be  used  at  Federal  web  sites  or  by  contractors  when  operating  web  sites  on  behalf  of 
agencies.  Under  this  policy,  cookies  should  not  be  used  unless  there  is:  clear  and  conspicuous 
notice;  a  compelling  need  to  gather  the  data  on  the  site;  appropriate  and  publicly  disclosed 
privacy  safeguards  for  handling  of  information  derived  from  cookies;  and  personal  approval  by 
the  head  of  the  agency. 

This  policy  was  explained  in  more  detail  in  a  letter  on  September  5, 2000  from  OMB’s 
Administrator  of  the  Office  of  Information  and  Regulatory  Affairs  to  the  Chief  Information 
Officer  at  the  Department  of  Commerce.  As  you  correctly  differentiate  in  your  draft  report,  there 
is  an  important  distinction  between  so-called  "persistent"  cookies  and  "session"  cookies.  The 
latter,  which  retain  information  only  during  a  single  session,  do  not  collect  information  in  ways 
that  raise  privacy  concerns.  These  session  cookies  also  have  important  advantages  for  electronic 
government,  and  do  not  fall  within  the  scope  of  Memorandum  00-13. 

Concerning  your  report,  we  appreciate  the  useful  information  that  you  have  provided 
about  federal  web  sites  that  have  not  yet  come  into  compliance  with  OMB  policy.  We  will 
contact  those  agencies  promptly,  to  reinforce  Administration  policy. 
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As  you  know,  the  June  22, 2000,  memorandum  from  OMB  also  required  agencies  to 
report  directly  to  OMB  in  this  year’s  budget  requests,  as  part  of  the  submission  on  information 
technology,  about  the  steps  they  have  taken  to  comply  with  Administration  policy  concerning 
privacy,  cookies,  and  federal  web  sites.  We  will  receive  these  reports  from  the  agencies  in 
December,  and  use  the  data  from  these  reports  to  make  certain  that  the  policy  is  being 
implemented  appropriately. 

Thank  you  once  again  for  providing  us  with  the  draft  report,  which  assists  our  continuing 
efforts  to  assure  that  web  sites  across  the  government  are  held  to  the  highest  standards  of 
protecting  citizens'  privacy. 


Sincerely, 


Sally  Katzen 


2 
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